Sniff TCP connections

In the world of windows there is no standard tool to see what's going on the network level.

I have been working quite a while with web services and encryption and signing, so it's vital to me to see what's going on when a web service is being called.

TCP proxies
The way I was doing it until recently was to use TCP proxies. TCP proxies open a TCP port and forward to some other host:port. In the process of doing so it dumps every connection on the screen or in a file.
For example if I want to listen what's going on a local (for the machine I'm working on) port 8080 the following had to be done: the software working on 8080 (a web service) is moved for example to 18080, then the proxy is opened at 8080 which forwards everything to localhost:18080.

There is one minor drawback to the whole story -  the clients have to be supplied with a port that is not the port where the service resides. So if the proxy is missing - the service is invisible.

I've used mostly tcpmon and wsmonitor. wsmonitor sucks a lot. tcpmon works, but cannot handle moderately heavy traffic and has a lot of quirks that are very annoying. Anyway until recently it was my primary way of doing things.

Reading direcly from the TCP/IP Stack
There has always been software that can plug something in the TCP/IP stack of the windows machine and thus sniff the traffic. The bad side is that the machine has to be tampered with some third-party software. And some machines cannot (should not) be tampered like that.

A third way
There seems to be a software that can sniff the traffic without plugging nasty stuff in the TCP/IP stack. On such example is SmartSniff. It has what they call a "Raw Sockets" way of sniffing and so far it's working great.

3 thoughts on “Sniff TCP connections”

  1. Ethereal няма ли да ти свърши работа? Той е най-разпространеният sniffer изобщо, по мое наблюдение, и прави приличен обзор на системата по различни критерии.

  2. Well, you've missed practically the best network analyzer software that you can get your hands on without spending at least a few thousand dollars - Wireshark. Note the "analyzer" part - sniffing the network is quite an easy task, actually. It's practically the easiest problem you would encounter while implementing a sniffer. A lot more serious is the problem of filtering the data being sniffed, or already sniffed, to match a given criteria. On top of that, even more tricky and complicated is the task of actually parsing and analyzing the data. All of the above are solved admirably in wireshark, it supports the capture filter syntax of tcpdump (which it feeds directly to libpcap), and after the packets are captured, they can be filtered for display with very complex and protocol-specific criteria. Also, its able to parse the packets of over 81000 protocols (as of version 1.0.6).
    While it is true that it plugs "nasty stuff" in the TCP/IP stack, that's because it's the only reliable way of capturing packets in windows. As far as raw sockets go, the "bug" (according to SmartSniff's website) that prevents them from working on Windows XP SP1 and up, and in Vista, is more accurately explained in the following quote from Wikipedia:

    When Windows XP was first released in 2001 with raw socket support implemented into the Winsock interface, the media attacked Microsoft saying that raw sockets are only of use to hackers to pull off TCP reset attacks. In the summer before the Windows XP release, security consultant Steve Gibson described in detail why raw sockets in Windows XP were a major security issue. Three years after the Windows XP release, Microsoft silently limited Winsock's raw socket support in a non-removable hotfix and offered no further support or workarounds for applications that used them.

    And finally, in the unlikely event that you can't tamper with the machine being sniffed, you can always get a secondary machine somewhere on it's routing path, on which to install the sniffer.

  3. I'm acquainted with both wireshark and ethereal, although not that extensively. Using them is another thing - not at all fluent.

    Anyway few months ago on a suse we managed to find a major router malfunction only with wireshark.

    Anyway I would like to dump tcp connections (actually http sessions) on production servers (mostly windows) so I wouldn't like to tamper with the TCP/IP stack of the machine itlself. Ethereal said it could sniff without plugging anything (don't know how) but didn't work. Couldn't even start.

    Anyway I find reading the ethereal dump far too difficult.

Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.

This site uses Akismet to reduce spam. Learn how your comment data is processed.